When Leadership Ignores DDoS Risk - 3 Tips for CISOs

This blog was originally published by MazeBolt here.

Written by Yotam Alon, MazeBolt.

A global telecom company suffered substantial damage from a DDoS attack, surprising its board and C-suite leaders, who had believed that they were well protected from DDoS attackers. The sudden attack brought their network down and in a waterfall effect, affected customer businesses across various industry segments including banking, retail, mobility, and even social media. A post-mortem of the attack brought out surprising findings but the most important one, across the board, was the limited importance attributed to DDoS attacks within the enterprise’s risk landscape.

Overall, enterprises engage sophisticated technologies to protect business assets and are committed to cybersecurity. Also, most enterprises remain confident that their mitigation solutions will ensure total protection from damaging DDoS attacks. The wake-up call comes when the organization is under an attack and by then it is often too late. One of the key reasons for this is that enterprises expect their existing defense solutions to protect them without realizing that DDoS is a different type of threat altogether and needs to be handled differently. A classic example in recent times is the New Zealand stock exchange DDoS attacks that brought down the exchange for several days. In the wake of the aftermath, its CIO who had served the company for over 11 years, resigned.

A clear understanding of the DDoS landscape, the threat factors, and the mitigation solution itself is required by all stakeholders in an enterprise. Without this understanding, the commitment is reduced, and the responsibility falls on a few to explain and suffer the consequences of an attack.

Here are 3 tips that can help CISO’s involve and engage stakeholders in the DDoS strategy:

DDoS is Not Just an IT Issue

DDoS mitigation is not an IT issue limited to bandwidth and networking. It is a global concern that affects business continuity, reputation, and customer loyalty, and therefore requires the complete engagement and involvement of business leaders. What could help is changing the discussions from DDoS mitigation to educating leaders about the implications of DDoS attacks. This would involve strategic information of the risk environment, and their personal obligations as stakeholders to stay committed to the ultimate DDoS protection strategy. McKinsey in a recent cybersecurity report says, “Business leaders and CISO’s must work together to identify and protect the “crown jewels”—those corporate assets that generate the most value for a company.” If the mind shift happens across all levels in an organization, the overall attitude to DDoS will shift from DDoS mitigation to DDoS protection.

Implications for Business

DDoS risk is not a static but a dynamic challenge with empowered mitigation solutions. The DDoS threat landscape is continuously shifting with new threats, new vulnerabilities, and new forms of attacks emerging almost on a day-to-day basis. For businesses, the impact of DDoS attacks is substantial both in the short and long terms. Short-term damages, for example, are costs associated with downtime/latency, and loss of immediate revenue, personnel costs associated with mitigating attacks. The long-term impact would be customer churn, regulatory repercussions, and compromised data. The blog 'Calculate the Cost of DDoS Attacks' explains in detail the repercussions of DDoS attacks for enterprises.

Enterprises should remain convinced about the urgency to manage the threat landscape and invest in innovation by adopting technology solutions that provide preemptive protection. Protection instead of mitigation is key to ensuring DDoS protection irrespective of changes to the network or new DDoS threats. The conversation in boardrooms will then be 'Glad to note that we are ensuring DDoS protection.’

Reactive Responses Post-Attack

Even with the most sophisticated DDoS mitigation and testing solutions deployed, most companies are left with major DDoS vulnerabilities. DDoS mitigation security policies don't adapt to dynamic changes happening in the network, leaving around 50% of DDoS vulnerabilities undetected and therefore unprotected. Furthermore, mitigation solutions and infrequent Red Team DDoS testing is reactive, rather than automatically and continuously detecting and closing vulnerabilities.

References:

https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
https://www.linkedin.com/pulse/challenges-cause-cisos-fail-gary-hayslip-cissp-/
https://www.finextra.com/newsarticle/36664/nzx-cio-quits#:~:text=The%20New%20Zealand%20stock%20exchange's,search%20underway%20for%20his%20successor.
https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx

About the Author

Yotam is Head - R&D at MazeBolt and is in charge of all R&D activities, infrastructure and security. With five years in the security industry, Yotam brings fresh perspectives and insights into current technologies and development flows. He holds a BSc. in mathematics and philosophy and enjoys hitting the archery range in his spare time.